Iss acon2010 tomhave-navetta-final

776 views
713 views

Published on

Tomhave and Navetta presentation at the 2010 ISSA International Conference

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
776
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Risk (reduced – least costs security controls)
    If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL.
    Judge Learned Hand United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947)
    Risk-based factors in regulations
    the size, scope, complexity and type of business
    the amount of resources available to such person
    the amount of sensitive data
    nature and scope of its activities
  • Iss acon2010 tomhave-navetta-final

    1. 1. Legally Defensible, Proactively Protected David Navetta, Esq., CIPP Benjamin Tomhave, MS, CISSP
    2. 2. David Navetta, Esq., CIPP Founding Partner, InfoLawGroup LLP Co-Chair, ABA Information Security Committee Certified Information Privacy Professional (through IAAP)
    3. 3. Ben Tomhave, MS, CISSP Gemini Security Solutions MS Engineering Mgmt (InfoSec Mgmt) Co-Vice Chair, ABA ISC ~15 yrs (AOL, WF, E&Y, INS/BT, ICSA Labs)
    4. 4. “Just the Facts” Not if, but when Mounting legal costs Increasing regulatory burden SECURITY PROS WILL HAVE TO DEFEND THEIR DECISIONS IN A FOREIGN REALM: the legal world
    5. 5. The Gap is Acute Collision of the legal and information security worlds More regulations, more lawsuits, more contract obligations Making decisions that have legal implications and interpreting legal requirements Conversation is lacking or non-existent
    6. 6. Multiple Legal Regimes State, Federal, International (e.g. E.U.) Evolving & Overlapping laws, jurisdictions Regulator / private enforcement Contract law Tort law Securities law
    7. 7. Legal Defensibility Viewing requirements from an external legal perspective (plaintiff, judge, jury, regulator) Security choices become legal positions Security decision-making process with legal baked in The goal is to anticipate reasonably foreseeable (legal) consequences and reduce legal risks
    8. 8. Using Legal Defensibility... Key Attributes Real-World Examples Recommended Steps Action Plan
    9. 9. Sidebar: LegDef Origins Survivability ★ Defensibility ★ Recoverability Resilience How to codify?
    10. 10. Key Attributes Risk Management Awareness, Understanding, Translation Collaboration Documentation of... decision-making processes... key infosec decisions with potential for legal impact. Attorney-client privilege
    11. 11. Real-World Examples HHS: investigations v. actions http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historical Online banking Shames-Yeakel v. Citizens Financial Bank EMI v. Comerica Guin v. Brazos Higher Education Service Corp. Inc.
    12. 12. PCI Interpretative Variances 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following: 12.8.1 Maintain a list of service providers. 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
    13. 13. Security v. Legal Viewpoint PCI SECURITY VIEWPOINT V. LEGAL VIEWPOINT
    14. 14. Key Legal Issues “Reasonable” “Appropriate” “Comprehensive” “Adequate” Risk-based factors Size, scope, type, complexity of organization Nature and scope of activities Resources of company Sensitivity of data Volume of data Third-party security assessments – matching risk tolerance
    15. 15. Key Legal Issues What legal obligations? Interpretation by courts/regulators Foreseeability! Plaintiff attorney strategies Litigation strategy and procedure
    16. 16. Examples of Legal Obligations Security “standards” under the law Contract obligations Service providers and outsourcing Document retention and preservation
    17. 17. Indicia of Legal Compliance Risk analysis and remediation Comply with own policies Misrepresentations Specific controls Vendor management Compliance with standards
    18. 18. Recommended Steps A champion arises! Find your allies Perform analysis Create your strategy Execute (w/ documentation!)
    19. 19. Action Plan 1. Hold key stakeholder meeting(s) and collaboration 2. Conduct information security legal audit ★ What legal requirements apply? ★ Do current security measures address those legal requirements?
    20. 20. Action Plan 3. Conduct legal defensibility analysis: ★ Develop security decision process formally incorporating legal analysis ★ Address areas of non-compliance ★ Develop legal positions on high risk legal requirements ★ Develop legal positions for “gray area” legal requirements
    21. 21. Action Plan 4. Memorialize positions and proof: ★ Document indicia of legal compliance (e.g. identify standards compliant with, documentation of due diligence, etc.) ★ Document applicable legal positions under attorney- client privilege
    22. 22. Q & A THANK YOU!
    23. 23. Contact Information David Navetta, Esq., CIPP www.infolawgroup.com dnavetta@infolawgroup.com Benjamin Tomhave, MS, CISSP geminisecurity.com btomhave@geminisecurity.com

    ×